Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Friday, December 30, 2005

Why is Zero-Day WMF Exploit such a big deal?

YES, we’re making a big deal out of this flaw in Windows XP and Windows 2003 server.

NO, the AntiSpyware company’s are not creating Spyware so you’ll buy our products.

If anything this new problem shows how none of the security programs on the market can protect you 100% and I doubt they ever will. 

The solution to this problem isn’t to purchase my software or anyone else’s. It’s simple and you should do it immediately.

Click on the Start button and select “Run…”.
Type or copy/paste the following
regsvr32 /u shimgvw.dll” and click OK
This will unregister the file with the flaw which also displays thumbnail views in Windows Explorer. The file will not be deleted.
Also,  don’t use MSPaint which is included with Windows.

Why is this such a big deal??

1)  As I said, no security software available will stop this threat. Some will contain it, but the actual infection can occur by just viewing an Email or web page. You don’t have to download anything. Just viewing a document with a hacked image will infect you, period.

2)  An example of the programming code that allows this hack has been widely distributed and is still available online.  That means a twelve year old with some computer skills can replicate his own version and put it out on the web. It could be in an Email, an EBay sale page, forum message, anywhere.

Microsoft has acknowledged the problem and I suspect some folks in Redmond won’t be at home this weekend. 
                                       Microsoft Security Advisory (912840)
Once Microsoft has a fix available you can re-register the shimgvw.dll by typing the same command above without the /u.  
regsvr32  shimgvw.dll”.

 

 

Share on Facebook


WMF Exploit More Help

I’ve received a lot of  feedback from many of our WinPatrol users  regarding the WMF Exploit danger I wrote about yesterday. It’s clear that this threat has been distributed widely and is a real danger to all users.  I’ve come up with a couple more tips you should consider.

My first tip is specific for AOL users.

Click on the Settings icon or go to Keyword “Settings”.AOL Settings

 




One of the options under E, will be “Email Setting”.

 

 

 You’ll see the following dialog. 
 Hide images and Disable links in mail 
The check box “Hide images and disable links in mail from unknown senders” should always be checked.
This will prevent any dangerous images from being displayed in AOL Email and also keep you from clicking on potentially dangerous links.  This won’t help when using AOL’s browser or most forms since Internet Explorer is integrated into the AOL client.

A safety feature built into Windows is “Data Execution Prevention(DEP)

DEP may depend on the type of processor you’re using and how new your computer is.
Microsoft has information in their article titled Changes to Functionality in Microsoft Windows XP Service Pack 2
Data execution prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits.  In Windows XP SP2, DEP is enforced by both hardware and software.
Alex Eckelberry of SunBelt Software has kindly posted details on how to check if your computer supports DEP complete with screen shots and steps to turn it on. Unfortunately, there has been some debate whether turning on DEP will protect you completely or if it effects systems performance.

Our best advice remains to continue using WinPatrol and unregister the smimgvw.dll as explained in our last entry.
Click on the Start Button and select “Run”
Type in “regsvr32 /u shimgvw.dll” and click OK

Share on Facebook


Thursday, December 29, 2005

Zero-Day WMF Exploit

Just when you think threats to your personal computer can’t get much worse, another one pops up.
This one could be launched by simply viewing an image with the Windows Metafile file type (.WMF) because of a flaw in a file that comes with Windows XP and Windows Server 2003.  A previously discovered flaw in which malicious code could be introduced by viewing a (.JPG) image has been fixed and is available from Microsoft.  You would have thought Microsoft would have checked other image file types when they released a fix to the JPG exploit but I’m sure they were in a hurry.

At this point, there’s no patch available from Microsoft but I have a couple recommendations.

Change the default viewer for .WMF files. 

Open Explorer with (Win Key + E)
Go to the Tools menu and select Folder Options.
Click on the File Type tab.
Scroll down until you find “WMF Image”.
The default setting will be “Windows Picture and Fax Viewer”.
Change your “Opens with” to a non-Microsoft program.

Unfortunately, this won’t help if the .WMF exists in a web page you’re viewing but it can if the file arrives as an attached file in your Email.  If you’re really concerned you can take a more drastic steps.

Unregister shimgvw.dll

Click on the Start Button and select “Run”
Type in “regsvr32 /u shimgvw.dll” and click OK
This may seem like a drastic step and it will prevent thumbnails and some images from being displayed.
To restore the process, type “regsvr32 shimgvw.dll”  without the /u.
Once Microsoft provides a patch for the shimgvw.dll file you can re-register the file.

Nobody agrees yet on how serious this flaw is but as more of the bad guys take advantage of it the sooner we’ll need that patch from Microsoft.  Meanwhile, as always I recommend having WinPatrol monitoring your system. While WinPatrol won’t prevent the attack, it will alert you to any changes and allow you to remove the possible infections it tries to install.

 

 

Share on Facebook


Tuesday, December 27, 2005

Enhanced Monday Night Football

Original Enhanced TV LogoLast night a popular American pastime ended with little fanfare. The last broadcast of ABC’s Monday Night Football aired with a fairly dull game between the New England Patriots and New York Jets. I mention it here because few realize the technological advances made over the years by production crew at ABC. I had the honor of being part of some of their innovative online advances.

Well ahead of other broadcast companies, Capital Cities/ABC had been experimenting online for years when purchased by the Walt Disney Corp in 1995. ABC along with Disney’s Buena Vista Internet Group created the concept called Enhanced TV which bridged the gap between the internet and broadcast television. The flagship of ABC’s Enhanced TV was Monday Night Football.

Viewers who had a computer near their TV could received additional information about teams, players, participate in real-time polls and trivia all synchronized with the live broadcast. Updated player stats were available with the click of a mouse. For the fantasy gamers, I was responsible for an interactive real-time game called PrimeTime Player™. Viewers could try their hand at predicting the next play and see how their picks compared to other players on our leaderboard.

Original PrimeTime Player 1998
Press Release 1999

Unfortunately, in the those days, not a lot of folks had computers located in the same room as their television. It hasn’t stopped ABC from developing additional ideas. The logo has changed but the possibilities are endless. As more of us watch TV with laptops or Tablet PC’s I expect Enhanced TV might just have a future. I’m sorry that Monday Night Football won’t be part of it.


Other posts regarding the ABC Production team

Share on Facebook


Wednesday, December 21, 2005

Receipt of your payment - Phishing

There are hundreds of fake messages which might be used to trick you into clicking some link in your Email. I’ve already written about the “Have you been visiting illegal web sites” and other fake Amazon or Ebay messages. These message look legitimate, and as they become more compelling more users will be reeled into the web of identify theft.

This week I’ve been getting messages letting me know “Your payment was successful”, complete with a valid looking PayPal payment.  “What payment, I didn’t make this payment!”. This tactic is no doubt very successful.  I’m sure people want to correct this error for fear their bank or credit card account might be charged. Just like your mother always told you, “Don’t believe everything you read”

This internet has adopted the term “Phishing” for this type of behavior.  The sender mass Emails out some kind of legitimate looking message in hopes you’ll click on a link which will take you into their evil realm.  The Email may even contain your name or city. Once you’ve click it will still appear to be a valid site and will most likely request some personal information or credit card data to resolve the problem.   As soon as you click on Submit, you’re a new victim to identify theft.

Another variation called “Spear-Phishing” encourages users to go to a web page where malicious code may automatically be downloaded to you machine.  The malicious program may have many evil purposes but typically it will record all your keystrokes and steal passwords and/or credit card information anytime its used in the future.

If you’d like to learn more about some common tricks used to infect your system with Spyware I encourage you to read Top 10 tricks causing spyware epidemic written by my friend Suzi Turner.

 

 

 

 

 

Share on Facebook


Saturday, December 17, 2005

AOL and Google

The battle was on for the hearts and mind of AOL and its 20 million members.

 

The  winner was Google although they're not the only ones who will benefit if this deal succeeds. In return for a billion dollars Google gets a 5% share in AOL.   Google will also continue to be the search engine of choice for AOL 

 

The real winner will be AOL. A billion in cash is great Christmas bonus and it couldn’t come at a better time for budgets at AOL.   AOL has been struggling with how to roll out content to the non-AOL internet. The exposure by Google will make it possible for AOL to make this transition. In return, Google will benefit from the rich content which includes a huge video library ripe for indexing.

 

As part of the deal, AOL will also get exclusive rights to sell Google ad space and keep a percentage of their revenue.  AOL with its acquisition of advertising.com and others already has infrastructure in place to sell ads and now they have more locations to put them. Both companies will benefit from the steady source of ad revenue.

 

The most promising part of this new arrangement is both AOL and Google are on equal footing. Their corporate and  low level management are more compatible then most recent mergers including the AOL Time Warner marriage.  Both companies respect each other so we should expect to see more agreements from other units within the companies.

 

Google wins because it gains a stake in solid established asset. Google could also be a real winner if it learns from AOL's mistakes.  AOL became the poster child of companies whose value on paper and perception exceeded their assets and they let it go to their heads. AOL grew cocky and missed out on many lucrative relationships because they got too big for the britches.  Google is currently the industry darling and could easily make some of the same mistakes. Google will be experiencing many of the same growing pains like; How do you deal with employees who share a cubicle when one has 5 million in stock options, mostly exercised and their co-worker, hired a month later is still living on a regular paycheck.

 

The consumer could win if AOL takes some lessons from Google.  Google has won favor by keeping their ads simple and not detracting from the content. They also have one of the best disclosure policies in the industry when it comes to installing software. I'm hoping this will rub off on AOL who still hides their Uninstall option under their Help menu.

 

Microsoft is certainly the loser.  AOL has never been happy with their treatment by Microsoft and this deal surely tastes sweet in Dulles and really sour in RedmondThe consumer could lose if Microsoft overreacts.  Microsoft is becoming very ad-centric in their thinking and could push out some very annoying ad supported concepts that consumers will be forced to swallow.

 

 AOL and Google News

 

 

Share on Facebook


Wednesday, December 07, 2005

Christmas Computers

Santa asked me to install WinPatrol on a new computer so yesterday I opened up a brand new Dell B130 laptop right out of the box. You may be surprised at all the garbage Dell is pre-installing on their system. I guess this stuff helps keep down the price of the computer. Dell wants your sale so badly they even offer an option to split your purchase over two credit cards.Click to see full image

Click to see full image

I think it's fine that AOL includes a special deal icon on the desktop. They fought hard to get this right. What I don't understand is that the AOLTray is pre-installed and and AOL security file (GW SEH Intercept) is embedded deep in the registry as a "ShellExecuteHook" file. SEH is short for "Structured encryption handling.

Does Trend Micro, MusicMatch, Installshield and Intel all need two or more program running at Startup. One just in case you want to run their full program quicker and one which constantly checks for new updates of your software. I'm pretty sure you'll gain some CPU cycles by doing without many of these.

I'm also at a loss to why Corel and DVDLauncher need to include detection programs in the Startup list. Microsoft has built-in file type associations and CD autorun methods so these programs should not be interfering with your default Windows setting. But the biggest gripe is that Dell is installing the MyWay Search Bar by default as a Browser Helper Object. I'm not a big fan of the MyWay Search bar which is owned by Ask Jeeves. They've used some very sneaky tactics in the past to get installed so I just don't trust them. Dell users are not given any opportunity to choose MyWay or have an understanding of what it may do.
For more information check what Alex Eckelberry says in his SunbeltBLOG http://sunbeltblog.blogspot.com/2005/09/askjeeves-question-hopefully-weve_12.html

Many of you may be giving or receiving computers from Santa this holiday season. I highly recommend you install WinPatrol program or your own favorite program that can manage startups. You could even just click on the Start button, select Run and type in "msconfig" and click OK. Chances are you'll be able to speed your computer up by as much as 40% by removing unneeded crap.

Share on Facebook


Tuesday, December 06, 2005

AntiSpyware Zealots

It appears my last post has helped thrust my new Blog into the public eye. Most of the traffic came from a fellow "AntiSpyware Zealot" who goes by the name PaperGhost(http://www.vitalsecurity.org/). There has been one very positive results of the controversy initiated by 180Solutions daring to take on Zone Labs. The "AntiSpyware Zealots" have united!

 Look out 180Solutions because your worse secrets are being exposed. While 180Solution claims they just can't police all their affiliates it didn't take much effort from the Zealots to find a number of despicable examples of web sites run by folks who partner with 180Solutions. See the most recent example at http://castlecops.com/p672607-180Problems_Suing_ZoneLabs.html#672607

Special thanks to Suzie Turner at http://blogs.zdnet.com/Spyware/ who wrote about how we were all being called Zealots as if it was a bad thing. According to my Webster Dictionary
Zealot = "one who is fanatically earnest."
Fanatic = extreme; excessive
Earnest = 1) Serious in purpose, 2) diligent, 3) important; grave, showing sincerity.

I like the term even though the viral Adware companies make it sound like a bad thing. They accuse most of us of a personal stake in their demise. Last year I made my points very clear to the FTC in my document http://www.ftc.gov/os/comments/spyware/040414billpstudios.pdf.

I have plenty of other good programming ideas. I would love to spend my time creating new innovative positive programs. Instead, I'm spending my time sniffing out unwanted garbage left on peoples desktops without their understanding.

Share on Facebook


Saturday, December 03, 2005

180Solutions vs. Zone Labs

I caused a little bit of a stir this week when I appeared to side with adware company, 180Solutions in their lawsuit against Zone Labs, makers of Zone Alarm. 180Solutions has never been happy with most of the industry calling their programs Spyware and has tried in vain to scare security companies with bogus lawsuits. In one of the new versions of Zone Alarm, Zone Labs goes a step farther by implying that 180Solutions is monitoring your keystrokes and mouse movements.

The question here isn't if 180Solutions is spyware. Everyone I've talked to would agree they use despicable tactics to get installed on machines and would be considered spyware. The point missed by many recent news reports is; do they monitor keystrokes?

I experienced frustration and even anger with Zone Alarm when they started to tag my own program, WinPatrol as a "key logger". I received a number of frantic Emails from loyal users and more then a few angry ones from users who took the message at face value and didn't know my reputation.
Most folks told me I had a good case against Zone Labs and recommended that I proceed with a law suit. Well, I'm just not that kinda guy. I have always been a fan of Zone Labs because they still make their basic product available for free.

Instead, I contacted Zone Labs to inform them of their error. Their response was very positive and they introduced me to their PASS Partner program which "enables software vendors to ensure their applications integrate seamlessly with Zone Labs products".
"Zone Labs provides software vendors with a tool to scan their network enabled executables and create checksums. These application checksums are used to automatically configure program permissions within Zone Labs products." I now use the tool provided by Zone Labs and send them the appropriate information each time a new version of WinPatrol is released.

While this solution worked for me, it still means that Zone Alarm will incorrectly flag many programs as key loggers when in fact they don't log keys or mouse movements. Zone Alarms fault here is that they detect when applications use a particular Windows API function called "SetWindowsHook". This function has been around since Windows 3.1 and can be used to monitor a variety of actions within the operating system. In my case WinPatrol uses is to help us detect anytime a new program tries to launch. A 1993 article by Kyle Marsh details the useful capabilities of setting a Windows hook.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwui/html/msdn_hooks32.asp

I've listed some here
  • Process or modify all messages meant for all the dialog boxes, message boxes, scroll bars, or menus for an application or system
  • Process or modify all messages (of any type) whenever a SendMessage function is called (WH_CALLWNDPROC).
  • Process, modify, or remove keyboard events (WH_KEYBOARD).
  • Process, modify, or discard mouse events (WH_MOUSE).
  • Respond to certain system actions, making it possible to develop computer-based training (CBT) for applications (WH_CBT).

    Obviously, not all programs using this function are malicious key loggers. By flagging all applications that use this function as Key Loggers Zone Alarm is needlessly scaring the crap out of their users and giving a black eye to many legitimate programs. What's worse is they've opened up the door for a notorious company like 180Solutions to actually have a valid complaint.

  • Share on Facebook